25 March 2016
U.S. to Pursue Renegotiation of Cybersecurity Export Rule
Federal agencies have reportedly approved a decision to seek to partially renegotiate a 2013 Wassenaar Arrangement rule that would limit exports of specified cybersecurity items. The decision follows overwhelming private sector opposition to a May 2015 BIS proposal to amend the Export Administration Regulations to reflect the Wassenaar rule.
The BIS proposed rule would establish a licence requirement for the export, re-export or transfer (in-country) of the following cybersecurity items to all destinations except Canada: (i) systems, equipment or components specially designed for the generation, operation or delivery of, or communication with, intrusion software (including network penetration testing products that use intrusion software to identify vulnerabilities of computers and network-capable devices); (ii) software specially designed or modified for the development or production of such systems, equipment or components; (iii) software specially designed for the generation, operation or delivery of, or communication with, intrusion software; (iv) technology required for the development of intrusion software (including proprietary research on the vulnerabilities and exploitation of computers and network-capable devices) and (v) Internet protocol network communications surveillance systems or equipment and test, inspection, production equipment, specially designed components therefor, and development and production software and technology therefor.
Virtually all of the hundreds of comments submitted on this proposal were negative and focused on three main issues. First, the proposed definition of “intrusion software” is too broad and would catch products such as malware recovery tools and defence research tools. Second, there would be a heavy and unnecessary licencing burden on legitimate transactions that contribute to cybersecurity, such as using tools proposed for control to test systems and networks for vulnerabilities. Third, the rule could cripple legitimate cybersecurity research by subjecting vulnerability research, assessments and testing to export licencing requirements, including classification, screening and other control elements.
According to press reports, the United States has proposed a complete removal of the Wassenaar rule’s controls on exports of technology for the development of intrusion software. A decision on this proposal is not expected until the organisation’s plenary meeting in December. In the nearer term the United States will also seek to discuss with the other 40 Wassenaar members ways to limit the hardware and software necessary to develop and control intrusion software that would be subject to the rule’s export restrictions.